With the explosion of comprehensive privacy laws around the world over the last seven to eight years, many organizations have implemented privacy programs which “check the box” on compliance requirements. But these programs come with challenges, relying on labor-intensive, error-prone, manual processes. As companies catch their breath from achieving compliance, many are now looking for ways to get the most from their technology platforms, automate tasks, improve the accuracy of their personal data inventory, and increase efficiency for their staff. There are many approaches to involving technology and technical team members in your program to accomplish these goals.
Definitions
There are many similar terms which refer to the use of technology solutions and engineering processes in the context of privacy. These terms all sound similar, which can cause confusion. Here are some definitions to provide clarity:
- Privacy Technology: This refers to software platforms which are designed to meet the needs of administering a modern privacy program. These platforms provide functionality for activities such as maintaining a data inventory, managing data subject requests, or providing a consent mechanism for users to make choices about the use of tracking technologies on a website.
- Privacy Enhancing Technology (PET): PET generally refers to technical solutions that are incorporated into other systems to enhance data protection by minimizing personal data use or maximizing data security. Examples of PETs include de-identification, differential privacy, pseudonymization, and encryption.
- Privacy by Design: This refers to the concept of integrating privacy and data protection principles into the design of products, services, and systems from the beginning. Privacy by Design can be applied to a variety of areas, including software development, business and decision-making practices, and user experience design.
- Privacy Engineering: This is an emerging discipline that generally covers the practices and techniques used to apply Privacy by Design to the development of software and other technology products, though the term is often used interchangeably with Privacy by Design. Privacy engineers generally have a technical background and work with product, design, and development teams to implement PETs and privacy-safe design into a company’s technical products and services.
Example Use Cases and Solutions
There are many use cases for applying these concepts. Let’s consider some examples of challenges faced by today’s privacy teams, and how these concepts can be applied to solve these challenges.
Task Automation
Automating tasks managed by Privacy Technology system(s) can have numerous benefits, including increased productivity for staff, reduction of errors, faster fulfillment, and improved scalability for tasks executed in large volumes. There are several common types of tasks which get automated and we’ll examine two of them here.
Companies must evaluate and fulfill myriad different types of data subject requests under various privacy laws, each with their own workflow and tasks. Organizations generally have two motivations for automating certain tasks:
- Accuracy: Some tasks are complex and prone to errors or incompleteness when done manually. Examples include verifying an individual’s identity, retrieving all of an individual’s personal data from numerous different systems to fulfill an access request, or deleting an individual’s personal data from certain systems for a deletion request —without deleting data that must be retained for various business or legal purposes.
- Scalability: When an organization receives a large volume of requests, it can be challenging to fulfill them all within applicable regulatory deadlines if the company performs all tasks manually. Automating specific tasks can be less expensive than hiring additional workers, and it tends to increase customer satisfaction due to requests being fulfilled more quickly.
Organizations must also manage consent choices from individuals for things like not selling/sharing their personal data, opting out of profiling, or unsubscribing from marketing communications. Automation is essential to communicating these choices accurately and quickly to downstream systems so that they start or stop doing something based on the individual’s choices.
Data Minimization
Data minimization is a key privacy principle that limits the collection and storage of personal data to what is necessary for fulfilling specific purposes. Simply not collecting personal data goes a long way toward satisfying this principle, but there are also other methods. “Personal data” under modern privacy laws includes any element of data that can be associated with an identified or identifiable person. Modifying data so that it no longer meets this definition is another way to minimize usage of personal data.
PETs are often leveraged to accomplish this goal when individual characteristics are not needed to accomplish a purpose. For example, de-identification is the process of removing identifying information from data to prevent knowledge or disclosure of personal data. De-identified data is often sufficient for research, statistical analysis, and training AI models. However, there are varying definitions and standards within different laws that must be met to consider data to be de-identified. It’s imperative that organizations understand which definitions and standards apply to their use cases.
Pseudonymization is another technique that involves replacing personal data elements with artificial identifiers or pseudonyms. A simple example of this is a book author using a pen name instead of their real one. Pseudonymization is used in many industries, including finance and healthcare, to reduce the scope of personal data to be managed and to reduce risk associated with disclosure of such data.
Transparency
Transparency is another key privacy principle that requires any information relating to processing of personal data to be openly shared, easily accessible, and written in clear, plain language that is easy for the average person to understand. Fulfilling this principle requires disciplined practices around documenting how personal data is used, carefully considering new uses, and disclosing information via a privacy notice/policy.
A data inventory (a.k.a., data map or record of processing activities) in the privacy world is a set of curated information about the personal data which a company collects, stores, uses, and potentially shares with others. Some privacy laws explicitly require maintaining a data inventory, but even without an explicit requirement, it is essential to maintain one to be able to fulfill other legal requirements. For example, it would be impossible for most organizations to write an accurate and transparent privacy notice without an accurate data inventory.
It is also important to understand that a data inventory is never “done” and instead must be maintained over time as the landscape of personal data usage evolves. Implementing good Privacy by Design practices is an excellent way to help maintain the inventory by integrating privacy and data protection principles into the design of products, services, and systems from the beginning. This allows the privacy team to be aware of what’s coming and to proactively update the data inventory, privacy notices, and other artifacts as needed.
Obfuscation
Data obfuscation is used by privacy and security teams to scramble, hide, or modify data to make it useless to malicious actors. There are many different methods of obfuscation that vary in complexity, and which are suitable to different purposes. Privacy engineers and security engineers are usually responsible for implementing these methods via integration with a company’s software development teams. Obfuscation methods generally fall into the following categories:
- Masking: These methods involve substituting fake data in place of real data. This might be as simple as replacing characters with an asterisk, for example, to hide a person’s last name, but can also include techniques to scramble or shuffle data as well. Redaction is also an example of a masking method. Masking can often be easily reversed, so it’s generally considered a weak approach to obfuscation, but adequate for many purposes.
- Tokenization: These methods substitute sensitive data with a meaningless value known as a token. For example, credit card numbers are commonly tokenized as part of payment processing operations so that the actual number is not revealed to intermediaries. Tokenization is usually not reversible, but tokens can be mapped back to the original data if you have the mapping details. It is generally considered a moderate to strong approach to obfuscation.
- Encryption: These methods use complex math to transform data into nonsensical text (a.k.a., ciphertext) in a way that can be decoded, but only by authorized parties who have decryption keys. It is generally considered a strong to very strong approach to obfuscation, depending on the complexity of the encryption algorithm and the size of the keys. However, most forms of encryption come with a limitation where it’s impossible to work with or analyze the data while it’s encrypted. Recent advances in homomorphic encryption techniques have overcome this limitation by allowing computations to be performed on encrypted data without having to decrypt it. However, computing requirements for homomorphic encryption are quite high, limiting its applications for now.
Conclusion
The privacy legal landscape is complex and growing more complex every week. Even attorneys formally trained in the law can have a difficult time rationalizing different requirements and advising their company or clients on what to do. However, good privacy operations require more than just legal knowledge, they also require collaboration with technologists and engineers, along with marketing teams and representatives from each business unit.